{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2025.2.2"}, "schedule": {"url": "https://cfp.pass-the-salt.org/pts2023/schedule/", "version": "0.6", "base_url": "https://cfp.pass-the-salt.org", "conference": {"acronym": "pts2023", "title": "PTS2023", "start": "2023-07-03", "end": "2023-07-05", "daysCount": 3, "timeslot_duration": "00:05", "time_zone_name": "Europe/Paris", "colors": {"primary": "#F9A743"}, "rooms": [{"name": "Amphitheater", "slug": "4-amphitheater", "guid": "4d5c8c0b-35ef-56bb-8ca9-28d62bdc76d0", "description": "Our main room hosting the single track of talks.", "capacity": 300}, {"name": "Workshop room", "slug": "5-workshop-room", "guid": "4bd548ce-8d09-527b-a6b3-2a2ca56e5c80", "description": "The room hosting our workshops.", "capacity": 30}], "tracks": [{"name": "Web Pentest", "slug": "9-web-pentest", "color": "#F111B2"}, {"name": "Boot Security", "slug": "10-boot-security", "color": "#3B8937"}, {"name": "OS Security", "slug": "11-os-security", "color": "#F6090F"}, {"name": "Network Detection & Forensics", "slug": "12-network-detection-forensics", "color": "#F76B10"}, {"name": "Keynote", "slug": "13-keynote", "color": "#059490"}, {"name": "Closing Talk", "slug": "14-closing-talk", "color": "#791185"}, {"name": "Reverser Tooling", "slug": "15-reverser-tooling", "color": "#290707"}, {"name": "OSINT & Online Security", "slug": "16-osint-online-security", "color": "#4C66F1"}, {"name": "Supply Chain Security", "slug": "17-supply-chain-security", "color": "#00B9FF"}, {"name": "Cryptography", "slug": "18-cryptography", "color": "#0442FE"}, {"name": "File Formats Horror Stories", "slug": "19-file-formats-horror-stories", "color": "#6D4242"}], "days": [{"index": 1, "date": "2023-07-03", "day_start": "2023-07-03T04:00:00+02:00", "day_end": "2023-07-04T03:59:00+02:00", "rooms": {"Amphitheater": [{"guid": "1fcae9eb-22ec-5fa3-ac54-6bda769fc9aa", "code": "9ZDVHG", "id": 113, "logo": null, "date": "2023-07-03T14:15:00+02:00", "start": "14:15", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-113-vulnerabilities-in-the-tpm-2-0-reference-implementation-code", "url": "https://cfp.pass-the-salt.org/pts2023/talk/9ZDVHG/", "title": "Vulnerabilities in the TPM 2.0 reference implementation code", "subtitle": "", "track": "Boot Security", "type": "Talk", "language": "en", "abstract": "Trusted Platform Module (TPM) is a standard for a secure cryptoprocessor. TPMs come in different flavors: there are discrete chips, integrated TPMs, firmware-based TPMs, and virtual TPMs. They provide a number of cryptographic features, such as generation and secure storage of cryptographic keys, symmetric and asymmetric encryption/decryption, digital signature generation/verification, and random number generation. Typical use cases include attestation of the boot process integrity, storage of disk encryption keys, and digital rights management.\r\n\r\nThe Trusted Computing Group (TCG), a nonprofit organization, is in charge of publishing and maintaining the TPM standard. As such, they provide a reference implementation of the TPM 2.0 specification. While auditing this reference implementation code, we discovered two vulnerabilities in the handling of encrypted parameters: an out-of-bounds write and an out-of-bounds read, which were assigned CVE-2023-1017 and CVE-2023-1018, respectively. Given that the bugs originate from the reference implementation, these two vulnerabilities propagated across multiple code bases and ended up affecting a wide range of vendors, from chip manufacturers to virtualization solutions and cloud computing providers. Among the impacted source trees we can mention the open source implementations of the TPM 2.0 standard published by Microsoft and IBM, as well as libtpms, an open source library providing software emulation of a Trusted Platform Module, which in turn is used by other free software projects, such as QEMU and VirtualBox, to provide a virtual TPM device for VMs.\r\n\r\nWe'll start this presentation by discussing how TPMs work, implementation details of the different virtual TPMs, and the internals of the protocol used to send TPM 2.0 commands. Then we'll go over the specifics of the two vulnerabilities we discovered, addressing the affected products as well as the possibilities for exploitation. Finally, we'll conclude the talk with some highlights of the complex, industry-wide disclosure process we conducted, in which numerous parties were involved.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "HQADGG", "name": "Francisco Falcon", "avatar": null, "biography": "Francisco Falcon is a security researcher and reverse engineer at Quarkslab. He is interested in anything involving reversing, vulnerability research and exploitation.\r\nIn the past, before joining Quarkslab, he worked at Core Security as an exploit writer.\r\nHe has been a speaker at security conferences such as REcon, Ekoparty, Hack.lu and Black Hat Europe.", "public_name": "Francisco Falcon", "guid": "110ac5b7-5d4d-5be5-ae1d-d2c964b0937b", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/HQADGG/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/9ZDVHG/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/9ZDVHG/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/9ZDVHG/resources/PTS2023-Talk-01-Vuln-in-TPM2-reference-implementati_dcsO4q9.pdf", "type": "related"}]}, {"guid": "62840174-a7b2-58ab-84a4-67794b59a494", "code": "QQR3PB", "id": 96, "logo": null, "date": "2023-07-03T14:50:00+02:00", "start": "14:50", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-96-ultrablue-user-friendly-lightweight-tpm-remote-attestation-over-bluetooth", "url": "https://cfp.pass-the-salt.org/pts2023/talk/QQR3PB/", "title": "Ultrablue: User-friendly Lightweight TPM Remote Attestation over Bluetooth", "subtitle": "", "track": "Boot Security", "type": "Talk", "language": "en", "abstract": "During the boot of a PC, it is now common to have each stage involved in the booting process to store measurements of the next component to be loaded into a Trusted Platform Module (**_TPM_**), in order to keep a tamper-proof log of the boot chain.\r\nThose measurements are then leveraged to seal secrets, _e.g._ a disk encryption key, or to report the state of the device to a remote server in a cryptographically secure way, using a procedure known as **_remote attestation_**.\r\n\r\n_Remote attestation_ has slowly gained traction over the last few years, most notably among cloud providers such as Azure, to guard access to online resources.\r\nIt is also a key element in validating _Dynamic Root-of-Trust Measurements_ (DRTM), which reduce the Trusted Computing Base (TCB) compared to traditional UEFI-based boot chains,\r\nbut require a trusted third-party to validate the final state of the system.\r\nUnfortunately, little progress has been made recently to enable individual users without access to server resources to reap the benefits of remote attestation.\r\nThis is particularly frustrating considering that almost everybody carries a small trusted server with them all the time: smartphones.\r\n\r\nBuilding upon an idea by Matthew Garrett[^1], we introduce [Ultrablue](https://github.com/ANSSI-FR/ultrablue) (_**U**ser-friendly **L**ightweight **T**PM **R**emote **A**ttestation over **Blue**tooth_), a solution to securely inspect and validate a TPM event log from a phone.\r\n[Ultrablue](https://github.com/ANSSI-FR/ultrablue) consists of a command-line attester, running on a computer, and an Android graphical application, running on a trusted phone, communicating over encrypted Bluetooth low-energy (BLE).\r\nPairing the phone and computer is made easier and more secure through the use of a QR Code.\r\nAfter a trust-on-first-use provisioning phase to enroll the computer on the phone, the phone can check that the boot chain has not been compromised in later boots.\r\nSample scripts and a self-contained virtual machine are also provided as a reference of how to integrate [Ultrablue](https://github.com/ANSSI-FR/ultrablue) in the boot process to guard disk encryption by a secret delivered by the phone. A practical session will demonstrate this process during the conference.\r\n\r\nFuture work includes improving the user interface to inspect and validate unexpected event logs, adding support for more versatile verification policies,\r\nand integrating Ultrablue into existing hardened systems such as [Safeboot](https://safeboot.dev/) ([safeboot.dev](https://safeboot.dev/)).\r\n\r\nThe [Ultrablue](https://github.com/ANSSI-FR/ultrablue) project has been developped at [ANSSI](https://www.ssi.gouv.fr) ([ssi.gouv.fr](https://www.ssi.gouv.fr)) by Lo\u00efc Buckwell, under the supervision of Nicolas Bouchinet and Gabriel Kerneis.\r\n\r\n[^1]: Linux Conference Australia, 2020. [https://www.youtube.com/watch?v=FobfM9S9xSI](https://www.youtube.com/watch?v=FobfM9S9xSI)", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "JRURH3", "name": "Nicolas Bouchinet", "avatar": null, "biography": "Nicolas Bouchinet works as a Security Researcher at ANSSI, the National Cybersecurity Agency of France. His research focuses on the Linux kernel, userspace and boot chain.", "public_name": "Nicolas Bouchinet", "guid": "4b645994-c966-5cd0-85e4-288cada985d5", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/JRURH3/"}, {"code": "GQNSQX", "name": "Loic Buckwell", "avatar": null, "biography": "Loic is the main developer of the Ultrablue project, under the supervision of Nicolas Bouchinet and Gabriel Kerneis from ANSSI.", "public_name": "Loic Buckwell", "guid": "e9c3d802-985e-53e4-ac46-cbb49e20cfd4", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/GQNSQX/"}, {"code": "9DGKVR", "name": "Gabriel Kerneis", "avatar": null, "biography": "Gabriel works as a Security Researcher at ANSII, the National Cybersecurity Agency of France. His research focuses on firmwares, trusted environment and secure boot mechanisms.", "public_name": "Gabriel Kerneis", "guid": "a555a6ea-be3e-58be-8743-f433961138f7", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/9DGKVR/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/QQR3PB/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/QQR3PB/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/QQR3PB/resources/PTS2023-Talk-02-Ultrablue_7A6Xklq.pdf", "type": "related"}]}, {"guid": "23b68ff7-f565-58be-a996-fdf5dd0de5a5", "code": "L38TN3", "id": 97, "logo": null, "date": "2023-07-03T15:25:00+02:00", "start": "15:25", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-97-for-science-using-an-unimpressive-bug-in-edk-ii-to-do-some-fun-exploitation", "url": "https://cfp.pass-the-salt.org/pts2023/talk/L38TN3/", "title": "For Science! - Using an Unimpressive Bug in EDK II To Do Some Fun Exploitation", "subtitle": "", "track": "Boot Security", "type": "Talk", "language": "en", "abstract": "EDK II is the public implementation of UEFI on which a large part of the OEMs rely to craft their own firmware. If a vulnerability were to be found in this project, it could become a huge problem as it could impact many devices. Or... It could be unimpressive and go totally unnoticed because nobody cares. \u00af\\\\\\_(\u30c4)_/\u00af \r\nIn this talk, we'll present a bug in EDK II which is difficult to leverage in real life but still quite fun to attack. \r\nWe'll see how we can build a complete exploit solely based on the mechanisms that are present in the public implementation and how we can gain arbitrary code execution in SMM thanks to that.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "GFB7MV", "name": "Gabrielle Viala", "avatar": null, "biography": "Gabrielle is a reverse engineer at Quarkslab. Her main domains of interest are the Windows internals and UEFI components.", "public_name": "Gabrielle Viala", "guid": "c5a5b3c9-26db-556b-bfb1-56067e1b53b3", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/GFB7MV/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/L38TN3/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/L38TN3/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/L38TN3/resources/PTS2023-Talk-03-EDK2_B1uFdLP.pdf", "type": "related"}]}, {"guid": "b8ed833f-1423-5ec0-8550-e155bbf2f712", "code": "MPY7WA", "id": 100, "logo": null, "date": "2023-07-03T16:30:00+02:00", "start": "16:30", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-100-the-good-the-bad-and-the-secure-a-pentester-s-journey-daily-driving-qubes-os", "url": "https://cfp.pass-the-salt.org/pts2023/talk/MPY7WA/", "title": "The Good, the Bad, and the Secure: a pentester's journey daily driving Qubes OS", "subtitle": "", "track": "OS Security", "type": "Talk", "language": "en", "abstract": "The ups and downs of a pentester who decided to daily drive Qubes OS as his working environment.", "description": "In this talk, I will provide a quick overview of Qubes OS, a security-focused operating system that uses virtualization to create secure compartments for different tasks and applications. This will ensure that everyone attending the talk understands the concepts and terminology used in the next parts.\r\n\r\nI will then share my personal journey of using Qubes OS as my daily working environment, discussing the best and worst things I encountered while using it. This will provide insights and practical advice for those who may be interested in using Qubes OS for their own work.\r\n\r\nFinally, I will discuss my perspective on Qubes OS, including why and how I decided to use it as my primary working environment. This part will also provide ideas on how Qubes OS can be used in various scenarios and use cases, including its benefits for security and privacy.\r\n\r\nOverall, attendees of this talk will gain a deeper understanding of Qubes OS and its benefits for security and privacy, as well as insights from my personal experience of using it as my daily working environment.", "recording_license": "", "do_not_record": false, "persons": [{"code": "V9YUBX", "name": "Pierre Milioni", "avatar": null, "biography": "Security Ninja @ Synacktiv", "public_name": "Pierre Milioni", "guid": "15a5c733-86ac-5533-8601-4452d827a73f", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/V9YUBX/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/MPY7WA/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/MPY7WA/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/MPY7WA/resources/PTS2023-Talk-04-QubesOS_kAbDFZn.pdf", "type": "related"}]}, {"guid": "0dc896fa-cf5e-5f1a-92a0-b4167c16693a", "code": "USSHMR", "id": 102, "logo": null, "date": "2023-07-03T17:05:00+02:00", "start": "17:05", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-102-syslog-ng-4-0-where-log-management-is-heading", "url": "https://cfp.pass-the-salt.org/pts2023/talk/USSHMR/", "title": "Syslog-ng 4.0 \u2013 where log management is heading", "subtitle": "", "track": "OS Security", "type": "Talk", "language": "en", "abstract": "After 13 years, a new major release of the syslog-ng logging application is available. Previously, syslog-ng handled all data as text. Syslog-ng 4.0 can associate the proper type information with data parsed from log messages. You can use type information for comparisons within syslog-ng, and storing data to various destinations, like Elasticsearch or MongoDB. Type support enables more precise filtering and thus real-time security alerting in syslog-ng, and easier searching and reporting in databases. I give a quick overview of the major new syslog-ng 4 features and show with examples how these improve security at your organization.", "description": "After 13 years, a new major release of syslog-ng is available. Syslog-ng 4.0 brings type support and many additional enhancements. This presentation gives you an overview of some of the larger syslog-ng 4 features, andproves why type support is a major enhancement, improving both operations and security.\r\n\r\nWhy is type information important? Many filters in syslog-ng uses comparisons, and for example, if you try to compare numbers as strings, 1000 is smaller than 90, as one precedes nine. Using type information, you can get correct comparison results. Many filters in syslog-ng use comparisons. Filters are used for real-time alerting within syslog-ng. Using proper type information here also means better alerting possibilities both for operations and security.\r\n\r\nPreviously, syslog-ng handled all data parsed from log messages as text. However, even if the format is text, in practice, it can be a number, a boolean value or a list. Some syslog-ng parsers can now detect and preserve the type of data parsed into name-value pairs. You can also add type information to name-value pairs manually.\r\n\r\nName-value pairs from message parsing, filters and templates were already a major feature of the syslog-ng 3 series. Type support in version 4.0 significantly enhances their usability.\r\n\r\nPreviously, by default, syslog-ng sent all values as text, even though type information was available when the log messages entered syslog-ng. In some cases, you could set type information manually, or you could map type information on the destination side, for example, in Elasticsearch. Now you can store name-value pairs with the correct type information.\r\n\r\nIf logs are sent as text, the receiving end often handles them as text. It means, for example, that you cannot create graphs from numbers sent as text. Sending name-value pairs with proper type information makes it possible for the receiving end to properly use the embedded values.\r\n\r\nSyslog-ng already provides a lot of run-time information for monitoring purposes. Current developments both extend the information available and make it easier to understand. Support for Prometheus is underway.", "recording_license": "", "do_not_record": false, "persons": [{"code": "RRBVLJ", "name": "Peter Czanik, syslog-ng PO at One Identity", "avatar": "https://cfp.pass-the-salt.org/media/avatars/czp_uj_balabit_crop_36wP6Rd.jpg", "biography": "Peter is an engineer working as open source evangelist at Balabit (a One Identity business), the company that developed syslog-ng. He assists distributions to maintain the syslog-ng package, follows bug trackers, helps users and talks regularly about sudo and syslog-ng at conferences (SCALE, All Things Open, FOSDEM, LOADays, and others). In his limited free time he is interested in non-x86 architectures, and works on one of his PPC or ARM machines.", "public_name": "Peter Czanik, syslog-ng PO at One Identity", "guid": "4ebe43d9-92da-56e9-b538-7535b68c3101", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/RRBVLJ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/USSHMR/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/USSHMR/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/USSHMR/resources/PTS2023-Talk-05-Syslog-ng_QSWU1og.pdf", "type": "related"}]}], "Workshop room": [{"guid": "59f3450c-9c6f-5ba6-81e3-1bf02f54fc41", "code": "VRBZJZ", "id": 130, "logo": null, "date": "2023-07-03T14:15:00+02:00", "start": "14:15", "duration": "03:00", "room": "Workshop room", "slug": "pts2023-130-sanzu-hands-on", "url": "https://cfp.pass-the-salt.org/pts2023/talk/VRBZJZ/", "title": "Sanzu Hands-on", "subtitle": "", "track": "OS Security", "type": "Workshop", "language": "en", "abstract": "Sanzu is a graphical remote desktop solution. It is fast, robust, and of course Open Source !", "description": "[Sanzu](https://github.com/cea-sec/sanzu) is a graphical remote desktop solution. It is composed of:\r\n\r\n- a server running on Unix or Windows which can stream a X11 or a Windows GUI environment (for now the Unix version is more advanced)\r\n- a client running on Unix or Windows which can read this stream and interact with the GUI environment\r\n\r\nIt uses modern video codecs like h264/h265 to offer a good image quality and limit its bandwidth consumption. Video compression is done through FFmpeg which allows the use of graphic cards or full featured CPU to achieve fast video compression at low latency. It also allows the use of yuv420 or yuv444 for better graphical details.\r\n\r\nWorkshop Schedule : \r\n\r\n- Introduction : Presentation of Sanzu \r\n- Practice : How to use Sanzu in a simple client/server setup (remote access to a VM)\r\n- Presentation : What is the sanzu broker and how does it work\r\n- Practice : How to setup a sanzu broker which spawns a new X server when a new sanzu client connects to the sanzu broker\r\n- Presentation : Remote Browsing with Sanzu\r\n\r\n\r\nRequirement : \r\n\r\n- A laptop (or a virtual machine) to install the sanzu client on it\r\n- One virtual machine running Linux to use as a server for Sanzu", "recording_license": "", "do_not_record": false, "persons": [{"code": "Z8RKKG", "name": "Antonin Fringant", "avatar": null, "biography": null, "public_name": "Antonin Fringant", "guid": "e64785aa-379b-5f81-9a7d-d60c59c921e4", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/Z8RKKG/"}, {"code": "S7C7VE", "name": "Fr\u00e9d\u00e9ric Vanni\u00e8re", "avatar": null, "biography": null, "public_name": "Fr\u00e9d\u00e9ric Vanni\u00e8re", "guid": "ceed065a-bb06-50f3-9b39-6a3524e93097", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/S7C7VE/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/VRBZJZ/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/VRBZJZ/", "attachments": []}]}}, {"index": 2, "date": "2023-07-04", "day_start": "2023-07-04T04:00:00+02:00", "day_end": "2023-07-05T03:59:00+02:00", "rooms": {"Amphitheater": [{"guid": "6f7499dc-7cc5-59f0-873a-ddae3b17fdc7", "code": "DTDEC8", "id": 123, "logo": null, "date": "2023-07-04T09:15:00+02:00", "start": "09:15", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-123-analyse-your-weird-urls-the-easy-way", "url": "https://cfp.pass-the-salt.org/pts2023/talk/DTDEC8/", "title": "Analyse your weird URLs the easy way", "subtitle": "", "track": "OSINT & Online Security", "type": "Talk", "language": "en", "abstract": "Websites are a hellish mess and even when you're lucky enough to have a still-working URL they will often have widely different outcomes depending on your browser settings, your location and the instant you try to load it. This talk will show you a few examples and a complete suite of tools to integrate such an analysis in your day-to-day workflow.", "description": "You might have heard of [Lookyloo](https://github.com/Lookyloo/lookyloo) before, but this talk will not be limited to it. We will show you that you can integrate it in a complete tool suite:\r\n\r\n* [Pandora](https://github.com/pandora-analysis/pandora): to analyze files and emails (which can be forwarded from your mailbox), extract attachments and observable such as URLs and submitting them to Lookyloo\r\n* Process URLs pointing to a downloadable file in Lookyloo and submitting them to Pandora \r\n* Once a URL is analyzed, it can be submitted to a [monitoring interface](https://github.com/Lookyloo/monitoring) which will compare capture across time and inform you when something relevant changes - could be the URL being taken down, or your website serving malware\r\n\r\nOr maybe you Just want to capture URLs and don't care about Lookyloo? Well, we also have you sorted and developed a standalone capturing interface called [Lacus](https://github.com/ail-project/lacus), which is already used in production by [AIL Framework](https://github.com/ail-project).\r\n\r\nAll of that has (obviously) an integration with [MISP](https://github.com/MISP/) for long term storage and sharing with your community.\r\n\r\nIn short, we're going to present you a complete suite of OSS tools that you can use either independently, or all together to hopefully make your life easier.", "recording_license": "", "do_not_record": false, "persons": [{"code": "YPKMAQ", "name": "Rapha\u00ebl Vinot (Developer, Lookyloo)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/0aed579ff806e3c3_wFum0Vj.jpg", "biography": "Formerly member of [CIRCL](https://www.circl.lu/), I moved to France but didn't go that far in spirit as I'm still part of the developers and maintainers for a [whole](https://github.com/Lookyloo) [bunch](https://github.com/pandora-analysis/) [of](https://www.youtube.com/watch?v=iwGFalTRHDA) [tools](https://github.com/MISP/) [there](https://github.com/ail-project). Some say it is too many, we disagree.", "public_name": "Rapha\u00ebl Vinot (Developer, Lookyloo)", "guid": "8d08aadb-a86c-5a2c-89d1-3e8c2c813b98", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/YPKMAQ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/DTDEC8/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/DTDEC8/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/DTDEC8/resources/PTS2023-Talk-06-Analyse-your-weird-URLs-the-easy-wa_2Qm7LeK.pdf", "type": "related"}]}, {"guid": "01f05603-348c-5d6d-97d9-9348cc04108e", "code": "C9XNRF", "id": 116, "logo": null, "date": "2023-07-04T09:50:00+02:00", "start": "09:50", "duration": "00:20", "room": "Amphitheater", "slug": "pts2023-116-typosquatting-finder", "url": "https://cfp.pass-the-salt.org/pts2023/talk/C9XNRF/", "title": "Typosquatting-finder", "subtitle": "", "track": "OSINT & Online Security", "type": "Short Talk", "language": "en", "abstract": "Existing tools like dnstwist or urlcrazy are useful for identifying typosquatting, but they don't allow users to choose a generation of variation with all possible algorithms. To address this, we created a library that compiles all possible variations for a domain name. But why stop there? We also developed a user-friendly website to make the tool accessible to everyone. And now, there's a possibility to look for package squatting on platform like pypi...\r\n\r\nIn this session, we will introduce the website and its functionalities, including all possible algorithms currently implemented in the library. Our library and website are both open source, and there is even an online version available to the public, as well as MISP integration. With these resources, there is no excuse for not protecting your organization from potential typosquatting domains.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "MWF7U8", "name": "Alexandre Dulaunoy", "avatar": "https://cfp.pass-the-salt.org/media/avatars/40d2a172b3e9160f1709d3a05b7e8e8a_ld8lWKE.jpg", "biography": "I break stuff and I do stuff.", "public_name": "Alexandre Dulaunoy", "guid": "c9201d6b-2483-50e7-a2e7-e01c13c44465", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/MWF7U8/"}, {"code": "TVLX7N", "name": "David Cruciani", "avatar": null, "biography": "Security researcher at CIRCL", "public_name": "David Cruciani", "guid": "a411ab00-a883-521f-b866-aafbfced7592", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/TVLX7N/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/C9XNRF/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/C9XNRF/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/C9XNRF/resources/PTS2023-Talk-07-typosquatting_DURcby7.pdf", "type": "related"}]}, {"guid": "28225fce-0952-5409-977e-3700d7c90978", "code": "YNEF3M", "id": 101, "logo": null, "date": "2023-07-04T10:10:00+02:00", "start": "10:10", "duration": "00:20", "room": "Amphitheater", "slug": "pts2023-101-clustering-large-amount-of-email-with-minhash-an-open-source-locality-sensitive-hash", "url": "https://cfp.pass-the-salt.org/pts2023/talk/YNEF3M/", "title": "Clustering large amount of email with Minhash: an open-source Locality sensitive hash", "subtitle": "", "track": "OSINT & Online Security", "type": "Short Talk", "language": "en", "abstract": "In the last decades, the world connectivity has increased exponentially, and emails is one of the key indicator of this connectivity. In 2022, more than 340 billions emails were sent on average each day, an increase of about 5% in comparison to the preview year. Because the reach of emails is so broad, they have been in the recent years used more and more to perform a wide variety of cyber security attacks. On the one side, targeted attack such as spear-phishing or Business Email Comprise (BEC) can be disastrous for companies and are responsible for millions of dollar loss each year. These kind of attacks are usually fine tuned to deceive the victim, and thus very hard to detect with automation. Furthemore they are really sparse in comparison to other types of email attacks (1 in 100 000 emails). On the other side, spam and phishing campaigns are broad attacks that usually target large group of email address. Campaign attacks are typically composed of bulks of email sharing a similar template and sent en masse in the hope of hitting just a small fraction of their targets, prioritizing quantity of attack sent over quality of the attack (about 80% of emails sent every day are spam emails). For cybersecurity providers such as Vade, a challenge is to detect and block these campaigns as fast as possible. While emails in a campaign used to be the exact same and thus relatively easy to catch, attackers have been more and more keen to add noise and tricks to fool detection algorithms, while still maintaining the visual aspect of the email. This evolution has seen, as a consequence, an increase in interest for the nearest neighbor problem. The nearest neighbor problem (nnp) is an optimization problem that arise for many kind of data driven tools. In particular, detecting duplicate or near-duplicate document is a critical application of the nnp. A similarity search problem usually involves a large collection of object, each characterized by a set of features and re-presentable as points in high-dimensional attribute space. Given a document, we are queried to find its most similar documents in the database. This problem has been shown to be NP-complete, and as such is still unfeasible to solve in reasonable time", "description": "In this presentation, we will present a full pipeline of clusturisation of email sent in a continuous flow, from the email to the clusters, using minhash (https://en.wikipedia.org/wiki/MinHash), an open source locality sensitive hashing algorithm. The presentation will be conducted as follow:\r\n- Explain how to extract key data from the email and remove the content added to fool the clustering algorithm.\r\n- Explain normalization through open source tools such as \"https://www.npmjs.com/package/sanitize-html\". This helps reducing the noise to info ratio in the email.\r\n- Present Locality sensitive hashing through the open source algorithm minhash, which creates fingerprints that will collide for similar email.\r\n- Present the \"Bucketization\" technique to cluster the fingerprints.\r\n- Present results on real email data.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EPMUZ9", "name": "Nicolas Berveglieri", "avatar": "https://cfp.pass-the-salt.org/media/avatars/thumbnail_Nicolas_Berveglieri_QKgKujm.jpg", "biography": "PhD from \"Universit\u00e9 de Lille\", INRIA (french) and MODO (Japanese) Lab, specialized in large scale optimization assisted by machine learning tools.\r\n\r\nNow working at Vade as research engineer.", "public_name": "Nicolas Berveglieri", "guid": "5a434401-ee80-569b-8cac-f9b7e37b16f8", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/EPMUZ9/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/YNEF3M/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/YNEF3M/", "attachments": [{"title": "Slides", "url": "/media/pts2023/submissions/YNEF3M/resources/PTS2023-Talk-08-minhash_08v2S8s.pdf", "type": "related"}]}, {"guid": "35b92103-c3c8-5d98-b925-b773bc42251d", "code": "8MS9ZL", "id": 115, "logo": null, "date": "2023-07-04T11:00:00+02:00", "start": "11:00", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-115-data-mining-darknet-and-social-network-monitoring-exploring-the-latest-features-of-the-ail-framework", "url": "https://cfp.pass-the-salt.org/pts2023/talk/8MS9ZL/", "title": "Data Mining, Darknet and Social Network Monitoring - Exploring the Latest Features of the AIL Framework", "subtitle": "", "track": "OSINT & Online Security", "type": "Talk", "language": "en", "abstract": "Data Mining, Darknet, and Social Network Monitoring are critical components of modern threat intelligence and security operations. The AIL Project is an open source framework designed to collect, crawl, dig, and analyze unstructured data from various sources. With its extensible Python-based framework, AIL can analyze unstructured data collected via an advanced Crawler manager or from different feeders such as PasteBin-alike sites, Twitter, Discord, Telegram Stream providers, or custom feeders.\r\n\r\nAIL supports active crawling of Tor hidden services, protected websites and forums with pre-recorded session cookies. Its modular design allows for easy contribution and extension, enabling the addition of new Analyzer modules, feeders, or streams without the need to know the inner workings. The framework also has integrations with other open source projects such as MISP or cve-search.\r\n\r\n\r\nThis presentation will focus on the latest version of the AIL framework (v5.0) and its new features. Attendees will learn about the following:\r\n- An overview of the modular design of AIL and its extensibility through Analyzer modules, feeders, and exporters.\r\n- Demonstrations of how the new features can be used in practice, including practical examples of investigating Tor hidden services and other sources of data.\r\n- Best practices for data collection and analysis with AIL, including performance optimization techniques and integration with other open source projects such as MISP.\r\n\r\nJoin us for this exciting presentation and learn how AIL can help you with your data analysis and threat detection needs.\r\n\r\nhttps://github.com/ail-project/\r\n\r\nhttps://github.com/ail-project/ail-framework", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "FRFFUB", "name": "Aurelien Thirion", "avatar": null, "biography": "Dark web connoisseur - Open source developer", "public_name": "Aurelien Thirion", "guid": "d2c6ac51-1fbe-5d72-9d96-43a130fbcaa2", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/FRFFUB/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/8MS9ZL/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/8MS9ZL/", "attachments": [{"title": "Slides", "url": "/media/pts2023/submissions/8MS9ZL/resources/PTS2023-Talk-09-AIL_CngOVHq.pdf", "type": "related"}]}, {"guid": "770f3afb-8346-5031-9336-6b1ed7169353", "code": "T9XQNG", "id": 98, "logo": null, "date": "2023-07-04T11:35:00+02:00", "start": "11:35", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-98-reproducible-research-in-micro-architecture-security-and-beyond-from-paper-to-artifact-evaluation", "url": "https://cfp.pass-the-salt.org/pts2023/talk/T9XQNG/", "title": "Reproducible Research in Micro-architecture Security (and Beyond): from Paper to Artifact Evaluation", "subtitle": "", "track": "Keynote", "type": "Talk", "language": "en", "abstract": "Reproducible research is generally speaking a good idea we all agree on, but can be a bit of a nightmare when dealing with hardware -- and actually, even software. In this presentation, I will talk about reproducibility in the context of academic security, and more precisely the reproducibility of attacks on micro-architecture. \r\n\r\nIn a first part, we will see the limits of \"just sharing code\" in terms of reproducible research. In a second part, we will explore the good, the bad, and the ugly of trying to reproduce micro-architectural attacks. Finally, we will discuss a great (and quite recent) initiative of academic security conferences: artifact evaluation.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "A3NBRQ", "name": "Cl\u00e9mentine Maurice", "avatar": "https://cfp.pass-the-salt.org/media/avatars/tangerine_zN7CUX4.png", "biography": "Cl\u00e9mentine Maurice is a full-time CNRS researcher (\"Charg\u00e9e de Recherche\") in the Spirals team at CRIStAL (Lille, France). Prior to that, she obtained her PhD from Telecom ParisTech in 2015, and then worked as a postdoctoral researcher at Graz University of Technology, Austria. Her research interests span software-based side-channel and fault attacks on commodity computers and servers, leveraging micro-architectural components. She also enjoys reverse-engineering processor parts. Beyond academic conferences, she presented her research at venues like the Chaos Communication Congress and BlackHat Europe.", "public_name": "Cl\u00e9mentine Maurice", "guid": "b5f474e3-aafc-5c2e-9517-5e93278487c1", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/A3NBRQ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/T9XQNG/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/T9XQNG/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/T9XQNG/resources/PTS2023-Talk-10-Reproductible-research_2ip7JFs.pdf", "type": "related"}]}, {"guid": "6f91b87d-f495-580f-8ec2-d76277db99b5", "code": "YAJN93", "id": 122, "logo": null, "date": "2023-07-04T14:00:00+02:00", "start": "14:00", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-122-supply-chain-security-in-open-source-ecosystems-the-rust-case", "url": "https://cfp.pass-the-salt.org/pts2023/talk/YAJN93/", "title": "Supply-chain security in open-source ecosystems: the Rust case", "subtitle": "", "track": "Supply Chain Security", "type": "Talk", "language": "en", "abstract": "Rust is an increasingly popular systems programming language, especially thanks to its memory safety guarantees and more general focus on safety.\r\nThis talk will give an overview of where it stands regarding the software supply-chain security challenges, including vulnerability management across the ecosystem, dedicated tooling and integration into larger efforts (OpenSSF projects, etc.)\r\n\r\nIt will cover the topic from both an internal (as a member of the Rust Secure Code WG) and an external (as a software editor using Rust) point of view.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "X83YMJ", "name": "Alexis Mousset", "avatar": null, "biography": "Alexis Mousset is working on Rudder, an infra configuration & security management tool, as lead developer on system topics (configuration automation, agents, networking, etc.)\r\nHe is also part of the Rust language Secure Code working group, which promotes tooling to help writing secure code in Rust and manages the Rust ecosystem vulnerability database.", "public_name": "Alexis Mousset", "guid": "96e6c7e0-60aa-5edc-ae2a-0557af7d49bc", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/X83YMJ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/YAJN93/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/YAJN93/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/YAJN93/resources/PTS2023-Talk-11-rust-supply-chain-security-amousset_YXNI80V.pdf", "type": "related"}]}, {"guid": "4f29274c-0578-55a7-86f7-4efd47a4f8e0", "code": "9XNUZL", "id": 124, "logo": null, "date": "2023-07-04T14:35:00+02:00", "start": "14:35", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-124-introduction-to-sigstore-cryptographic-signatures-made-easier", "url": "https://cfp.pass-the-salt.org/pts2023/talk/9XNUZL/", "title": "Introduction to Sigstore: cryptographic signatures made easier", "subtitle": "", "track": "Supply Chain Security", "type": "Talk", "language": "en", "abstract": "The last few years have seen a significant raise in Supply Chain attacks targeting third party software used in larger projects. With the need for developers to attest of the integrity and provenance of their software dependencies, alternatives have emerged to make tracing software back to the source more accessible, without a need for specific knowledge of cryptographic protocols used for generating and verifying artifact signatures.\r\n\r\nProject Sigstore (https://www.sigstore.dev/) is a new standard for signing, verifying and protecting software. This talk will provide an introduction to Sigstore, explaining the different components the project is built upon and how developers can use it to sign and verify software artifacts (software packages, container images...) in a secure way. Notably, Sigstore solves the issue of private key storage and management by implementing \"keyless\" signing, where users can generate ephemeral key pairs and sign an artifact using an identity provider such as GitHub, Microsoft or Google.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "RXA93D", "name": "Maya Costantini", "avatar": "https://cfp.pass-the-salt.org/media/avatars/1645895144516_MMV4uBJ.jpeg", "biography": "Maya is a Software Engineer in Red Hat's Emerging Technologies security team.\r\nShe is passionate about Python, open source and software supply chain security.", "public_name": "Maya Costantini", "guid": "2d50234d-1998-5661-9f7c-1cc8232ca5fd", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/RXA93D/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/9XNUZL/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/9XNUZL/", "attachments": [{"title": "Slides", "url": "/media/pts2023/submissions/9XNUZL/resources/PTS2023-Talk-12-Introduction-to-Sigstore_Cryptograp_1A7jVvl.pdf", "type": "related"}]}, {"guid": "6fa23ba5-7810-56bd-90a0-f6716a43f04e", "code": "NQY3WL", "id": 114, "logo": null, "date": "2023-07-04T15:10:00+02:00", "start": "15:10", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-114-how-to-secure-your-software-supply-chain-and-speed-up-dfir-with-hashlookup", "url": "https://cfp.pass-the-salt.org/pts2023/talk/NQY3WL/", "title": "How to Secure Your Software Supply Chain and Speed-Up DFIR with Hashlookup", "subtitle": "", "track": "Supply Chain Security", "type": "Talk", "language": "en", "abstract": "Hashlookup aim is to index the hashes of all the published and released software. It crawls and indexes the hashes from many different public sources which include Linux distributions, operating systems such as Windows or alternative distributions. The goal is provide a fast and efficient way for analysts, digital forensic investigators and security researchers contextual information about published software. hashlookup goal is to support digital forensic investigation but also the review of software supply chain and distribution channels.", "description": "Hashlookup aim is to index the hashes of all the published and released software. It crawls and indexes the hashes from many different public sources which include Linux distributions, operating systems such as Windows or alternative distributions. The goal is provide a fast and efficient way for analysts, digital forensic investigators and security researchers contextual information about published software. hashlookup goal is to support digital forensic investigation but also the review of software supply chain and distribution channels.\r\n\r\nhashlookup.io is an open-source project and service, which means that it's freely available for anyone to use or contribute to. Both open-source and proprietary software can be distributed in various ways, and in this article, we'll discuss the challenges of gathering all the different sources. We'll also explore the various risks associated with supply chain attacks and offer some strategies for addressing these issues.", "recording_license": "", "do_not_record": false, "persons": [{"code": "MWF7U8", "name": "Alexandre Dulaunoy", "avatar": "https://cfp.pass-the-salt.org/media/avatars/40d2a172b3e9160f1709d3a05b7e8e8a_ld8lWKE.jpg", "biography": "I break stuff and I do stuff.", "public_name": "Alexandre Dulaunoy", "guid": "c9201d6b-2483-50e7-a2e7-e01c13c44465", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/MWF7U8/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/NQY3WL/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/NQY3WL/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/NQY3WL/resources/PTS2023-Talk-13-Hashlookup-supply-chain_Wl4jqj1.pdf", "type": "related"}]}, {"guid": "384ffd34-7226-5135-973a-830a90995b00", "code": "9H8FH3", "id": 126, "logo": null, "date": "2023-07-04T16:15:00+02:00", "start": "16:15", "duration": "00:20", "room": "Amphitheater", "slug": "pts2023-126-map-your-firmware", "url": "https://cfp.pass-the-salt.org/pts2023/talk/9H8FH3/", "title": "Map your firmware!", "subtitle": "", "track": "Reverser Tooling", "type": "Short Talk", "language": "en", "abstract": "Nowadays structured firmwares can be a complete OS with thousands of files. It usually requires several hours to find the links between some components, and it is easy to get lost in this mass of information.\r\nThis talk will introduce how we have combined and extended already existing open-source solutions to solve this issue and help reversers in their daily tasks. The resulting tool, Pyrrha, allows users to visualize the different binaries and libraries of the firmware and their interactions in the form of several dependency graphs.", "description": "Pyrrha is an extension of Sourcetrail [1] an open-source code source explorer (for c/cpp, Python, and Java). This extension uses LIEF [2] to analyze imports and exports of each library and binary of the firmware and create links between them. The result is exported as a sourcetrail database. Thanks to Sourcetrail UI, the user will be able to navigate and search in the resulting firmware mapping.\r\n\r\n[1] https://github.com/CoatiSoftware/Sourcetrail \r\n[2] https://lief-project.github.io/", "recording_license": "", "do_not_record": false, "persons": [{"code": "SQFUGJ", "name": "Elo\u00efse Brocas", "avatar": "https://cfp.pass-the-salt.org/media/avatars/unicorn_g3SELja.png", "biography": "Elo\u00efse Brocas is a security researcher and reverse engineer at Quarkslab.", "public_name": "Elo\u00efse Brocas", "guid": "c7ef18ce-4bc1-5e1b-abcc-af6b292b3967", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/SQFUGJ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/9H8FH3/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/9H8FH3/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/9H8FH3/resources/PTS2023-Talk-14-Pyrrha-map-your-firmware_sRuQzfT.pdf", "type": "related"}]}, {"guid": "f3a7a270-979b-5358-a497-8cdb3172aa5e", "code": "LZHYRS", "id": 77, "logo": null, "date": "2023-07-04T16:35:00+02:00", "start": "16:35", "duration": "00:20", "room": "Amphitheater", "slug": "pts2023-77-gepetto-ai-powered-reverse-engineering", "url": "https://cfp.pass-the-salt.org/pts2023/talk/LZHYRS/", "title": "Gepetto: AI-powered reverse-engineering", "subtitle": "", "track": "Reverser Tooling", "type": "Short Talk", "language": "en", "abstract": "AI tools have broken out spectacularly in 2022, offering image generation, video upscaling, text completion, and much more.\r\nThe recent release of OpenAI's ChatGPT led researchers to discover that the new language model had unexpected security engineering capabilities. In particular, this talk explores the use of the davinci-003 model to automatically comment decompiled functions and suggest new names for their variables.\r\n\r\nThis led to the creation of Gepetto, an IDA Pro plugin that extracts information from the tool and submits it into OpenAI's API to speed up the analysis dramatically for the rough equivalent of 1$ per day.\r\n\r\nThe plugin's code is available here: https://github.com/JusticeRage/Gepetto", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "BNDFWU", "name": "Ivan Kwiatkowski", "avatar": null, "biography": "An OSCP and OSCE-certified penetration tester and malware analyst working as a Senior Security Researcher in the Global Research and Analysis Team (GReAT) at Kaspersky Lab since 2018. Also delivers Kaspersky\u2019s reverse-engineering trainings in Europe. Ivan maintains an open-source dissection tool for Windows executables and his research was presented during several cybersecurity conferences. As a digital privacy activist, he also operates an exit node of the Tor network.", "public_name": "Ivan Kwiatkowski", "guid": "d3296c77-838a-5f20-9715-d4839a766291", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/BNDFWU/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/LZHYRS/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/LZHYRS/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/LZHYRS/resources/PTS2023-Talk-15-Gepetto_hbyiEnp.pdf", "type": "related"}]}], "Workshop room": [{"guid": "dbb4d398-4014-5b8b-b8f8-0ce44422cb04", "code": "DEPJLQ", "id": 103, "logo": null, "date": "2023-07-04T09:15:00+02:00", "start": "09:15", "duration": "03:00", "room": "Workshop room", "slug": "pts2023-103-syslog-ng-from-zero-to-hero-including-syslog-ng-4-changes", "url": "https://cfp.pass-the-salt.org/pts2023/talk/DEPJLQ/", "title": "Syslog-ng: from zero to hero, including syslog-ng 4 changes", "subtitle": "", "track": "OS Security", "type": "Workshop", "language": "en", "abstract": "The syslog-ng application is an enhanced logging daemon with a focus on portability and high-performance central log collection. It is used mainly by IT security professionals, but also in Ops and DevOps environments and by embedded developers. The syslog-ng workshop helps you take the first steps with syslog-ng, and shows how you can quickly get more information out of your logs and have greater insight into what happens on your network. Ideal for beginners, but covers advanced possibilities for seasoned syslog-ng users as well. It also introduces you to syslog-ng 4 changes, focusing on type support, and how it makes your work easier and broadens possibilities.", "description": "You will learn: \r\n\r\n \u2022 The basic concepts of configuring and running syslog-ng, \r\n\r\n \u2022 an introduction to message parsing, \r\n\r\n \u2022 how to store your log messages in Elasticsearch, and \r\n\r\n \u2022 differences between syslog-ng 3 and 4\r\n\r\nTo try the configurations on your machine, you will need:\r\n\r\n \u2022 a recent version of syslog-ng (3.23 or newer: https://syslog-ng.com/3rd-party-binaries) \r\n\r\n \u2022 Elasticsearch 7+ with Kibana installed or Opensearch (optional)\r\n\r\n\tLast time I was criticized that handing out an USB key at a security event is controversial :-) so install syslog-ng and optionally Elasticsearch on your laptop or in a VM.\r\n\r\nWorkshop schedule:\r\n\r\n \u2022 Theory: Introductory presentation - the concepts of syslog-ng. Explains the different building blocks (sources, parsers, filters, destinations, etc.), and how to connect them together using log statements.\r\n\r\n \u2022 Practice: Try these concepts in practice. Creating a simple configuration, checking syntax, running in the foreground with different debugging options, and running in the background as a service.\r\n\r\n \u2022 Theory: Message parsing is a main feature of syslog-ng from the security professional point of view. Most of the log messages on Linux / UNIX arrive in a free form text format, which are easy to read by humans, but very difficult to act on. Using message parsing you can extract actionable information from log messages and create alerts or simply storing data in an easy to search format.\r\n\r\n \u2022 Pratice: Extend the configuration with a few filters and parsers to make it more complex. To see the results of parsing, we use templates on the output side to include name-value pairs.\r\n\r\n \u2022 See the differences between syslog-ng 3 and 4\r\n\r\n \u2022 Practice: Store the results to Elasticsearch and display them in Kibana.\r\n\r\n \u2022 Q&A session (if there is some time left): touch a few additional topics, based on questions from the audience.", "recording_license": "", "do_not_record": false, "persons": [{"code": "RRBVLJ", "name": "Peter Czanik, syslog-ng PO at One Identity", "avatar": "https://cfp.pass-the-salt.org/media/avatars/czp_uj_balabit_crop_36wP6Rd.jpg", "biography": "Peter is an engineer working as open source evangelist at Balabit (a One Identity business), the company that developed syslog-ng. He assists distributions to maintain the syslog-ng package, follows bug trackers, helps users and talks regularly about sudo and syslog-ng at conferences (SCALE, All Things Open, FOSDEM, LOADays, and others). In his limited free time he is interested in non-x86 architectures, and works on one of his PPC or ARM machines.", "public_name": "Peter Czanik, syslog-ng PO at One Identity", "guid": "4ebe43d9-92da-56e9-b538-7535b68c3101", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/RRBVLJ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/DEPJLQ/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/DEPJLQ/", "attachments": []}]}}, {"index": 3, "date": "2023-07-05", "day_start": "2023-07-05T04:00:00+02:00", "day_end": "2023-07-06T03:59:00+02:00", "rooms": {"Amphitheater": [{"guid": "8f689530-b1e1-5062-ac6c-f551055a310d", "code": "9ZH9NP", "id": 94, "logo": null, "date": "2023-07-05T10:00:00+02:00", "start": "10:00", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-94-php-filter-chains-how-to-use-it", "url": "https://cfp.pass-the-salt.org/pts2023/talk/9ZH9NP/", "title": "PHP filter chains: How to use it", "subtitle": "", "track": "Web Pentest", "type": "Talk", "language": "en", "abstract": "Local file inclusion methods in PHP evolved through time, there are 2 main objectives when exploiting them:\r\n- Getting a remote code execution by including files containing PHP via include() or require() functions.\r\n- Leak local files such as PHP sources or configuration files via file_get_contents() or file() functions for example.\r\n\r\nIn the past, the following requirements had to be met to exploit a local file inclusion.\r\nTo exploit a remote code execution you could inject information in log files and include them, or control a variable in your PHP session to poison the session file. But in most cases, you needed to be able to upload a file on the system.\r\nTo leak local files, it was required to either fully control the path pointing to the file to leak, or to have a path traversal to go up in the file tree. Most importantly, it was mandatory for the server to send you back its content in the response.\r\n\r\nIn both cases, the affected functions support several wrappers, the most iconic being file:// which is a prefix before a file path. Other wrappers such as php://filter can be passed on these methods and for example it was well known to allow leaking PHP sources by base64 encoding them (ex : php://filter/convert.base64-encode/resource=index.php). \r\nIn a 2021 CTF write-up by loknop , this wrapper was actually proven to be much more useful. Indeed, it allows setting the encoding of contents passing through it, and most importantly to chain an infinite number of encodings leading to the generation of arbitrary data at the start of a file. In this presentation, the full process will be explained with examples allowing, for instance, to generate interesting prefixes to a file content, such as '', therefore removing the need to have a file upload when exploiting include() or require() functions to get remote code execution (if the full path is controlled).\r\n\r\nIn 2022, hash_kitten showed that it was also possible to use PHP filters chain as an error-base oracle when used in many built-in functions, such as file_get_contents(). Its method chains encodings that will make the content size of a file exponential, triggering a PHP memory_limit exhaustion. By using other filters, the first character of the file content can also be determined. By using other encodings it is also possible to rotate the chain order to retrieve characters that are located further away in the content.\r\nUsing this error-based oracle, it is therefore possible to leak the entire file content without having PHP to serve it in a server response.", "description": "This talk aims to explain in which cases PHP filter chains can be used and why these tricks can be useful during an audit with examples.\r\nAlong it, we will show vulnerable code samples and ways to patch them.\r\n\r\nTwo tools were developed to exploit it and will also be presented :\r\n- https://github.com/synacktiv/php_filter_chain_generator\r\n- https://github.com/synacktiv/php_filter_chains_oracle_exploit", "recording_license": "", "do_not_record": false, "persons": [{"code": "NCLGMX", "name": "R\u00e9mi Matasse (Security research, Synacktiv)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/NCLGMX_TlaioZo.webp", "biography": "Security Ninja @Synacktiv", "public_name": "R\u00e9mi Matasse (Security research, Synacktiv)", "guid": "1a75cd13-7e9c-5cb8-aa7e-cec6a7ef6e80", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/NCLGMX/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/9ZH9NP/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/9ZH9NP/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/9ZH9NP/resources/PTS2023-Talk-16-php_filter_chains_uRF0Igj.pdf", "type": "related"}, {"title": "demo_blind_oracle", "url": "/media/pts2023/submissions/9ZH9NP/resources/PTS2023-Talk-16-php_filter_chains_demo_blind_oracle_ApF62xO.mkv", "type": "related"}]}, {"guid": "5513d1a9-ea39-5135-a333-dea9c632fff4", "code": "LQ7RVH", "id": 108, "logo": null, "date": "2023-07-05T10:35:00+02:00", "start": "10:35", "duration": "00:20", "room": "Amphitheater", "slug": "pts2023-108-zekrom-an-open-source-library-of-arithmetization-oriented-constructions-for-zksnark-circuits", "url": "https://cfp.pass-the-salt.org/pts2023/talk/LQ7RVH/", "title": "zekrom: an open-source library of arithmetization-oriented constructions for zkSNARK circuits", "subtitle": "", "track": "Cryptography", "type": "Short Talk", "language": "en", "abstract": "Over the last few years, the popularity of proving systems based on zkSNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) has risen, typically due to real-world use cases such as private authentication, private set membership, proofs of correct execution by a non-trusted entity and more.\r\n\r\nThere are different proving systems that have been proposed in the last 5-7 years (Groth16, Marlin, PLONK, TurboPLONK, etc.), with their primary objectives being reducing the size of the proof, reducing the proving/verifying time and minimizing the need for a trusted setup. Further, there are different ways to implement zkSNARKs, but the common idea behind all of them is that the construction has to be represented in an arithmetic circuit on top of a finite field. This is possible using domain-specific languages (DSLs) such as Circom or Leo, or using a library such as gnark, Halo2 or arkworks-rs.\r\n\r\nIn the aforementioned applications, typically, encryption and hashing operations are needed. However, the performance of traditional designs such as AES or BLAKE2 is not optimal in circuits. This has led to the apparition of arithmetization-oriented constructions for hashing and encryption. Moreover, the Sponge API for Field Elements (SAFE API) has been recently proposed, which can be used to create different cryptographic primitives for zkSNARK circuits using the sponge construction. In many cases, the performance of this type of constructions and the difficulty of implementing them using modern libraries for creating circuits has not been evaluated.\r\n\r\nIn this talk, we present zekrom, an open-source library of arithmetization-oriented constructions for zkSNARK circuits. The goal of zekrom is to analyze the performance of novel constructions for circuits using modern libraries such as arkworks-rs and Halo2 and frameworks such as the SAFE API. Other goals of zekrom are: 1) to provide recently proposed arithmetization-oriented constructions for creating privacy-friendly applications based on zero-knowledge proofs, 2) to help developers by providing tools to generate the type of parameters that this type of constructions require, and 3) to provide a reusable implementation of the SAFE API that can be easily adapted to new proposed permutations for circuits. Finally, in our talk, we'll describe the obstacles we have found when implementing this type of construction.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "WYCKQY", "name": "Antonio de la Piedra", "avatar": "https://cfp.pass-the-salt.org/media/avatars/Antonio-De-La-Piedra_hudsZJ8.jpg", "biography": "Antonio de la Piedra's background is related to Cryptographic Engineering and Embedded Security. He has participated in the NIST Post-Quantum Cryptography Standardization project within the NewHope team and in different international and national-scale projects related to Privacy Enhancing Technologies. He has talked at conferences like CHES, INDOCRYPT, Black Hat Europe, Black Hat Asia, etc. Currently, he works as security researcher at Kudelski Security.", "public_name": "Antonio de la Piedra", "guid": "edeaa95d-9c1e-5563-8b44-cb8c16ec611d", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/WYCKQY/"}, {"code": "UWTMCC", "name": "Laurent Thoeny", "avatar": "https://cfp.pass-the-salt.org/media/avatars/rachel-tog_jreDoQp.jpg", "biography": "Currently, a C and Rust software engineer @ Cysec\r\nCybersecurity and cryptography enthusiast, formerly at Kudelski Security", "public_name": "Laurent Thoeny", "guid": "e6feb9a6-5900-5abb-af58-789d9984ae27", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/UWTMCC/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/LQ7RVH/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/LQ7RVH/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/LQ7RVH/resources/PTS2023-Talk-17-zekrom_b2rCSlW.pdf", "type": "related"}]}, {"guid": "0c878801-f353-58ff-b723-1b8cd1dfa5fd", "code": "ZQAXNB", "id": 91, "logo": null, "date": "2023-07-05T11:25:00+02:00", "start": "11:25", "duration": "00:20", "room": "Amphitheater", "slug": "pts2023-91-asn-1-templating-for-fun-and-profit", "url": "https://cfp.pass-the-salt.org/pts2023/talk/ZQAXNB/", "title": "ASN.1 templating for fun and profit", "subtitle": "", "track": "File Formats Horror Stories", "type": "Short Talk", "language": "en", "abstract": "Edition of DER encoded ASN.1 structures is a pretty tedious work when done manually.\r\nSolutions to this problem exist. For instance, der-ascii [0] is a tool written in Go that helps with back and forth conversions from/to DER structures to/from a textual representation using a custom defined language.\r\nI present a somehow short Perl script [1] that leverages the OpenSSL configuration language along with the ```ASN1_generate_nconf(3)``` function in order to achieve the same goal with almost no dependencies apart from Perl and OpenSSL.\r\nThis tool can be used to ease the exploitation of CVE-2022-0778 [2] & [3].\r\n\r\n[0] https://github.com/google/der-ascii\r\n[1] https://github.com/wllm-rbnt/asn1template\r\n[2] https://www.openssl.org/news/secadv/20220315.txt\r\n[3] https://github.com/drago-96/CVE-2022-0778#using-asn1-templates", "description": "Remember the OpenSSL vulnerability referenced as CVE-2022-0778 (15/03/2022)...\r\n\r\nhttps://www.openssl.org/news/secadv/20220315.txt\r\n\r\nHere is an excerpt from it:\r\n```\r\n\"The BN_mod_sqrt() function, which computes a modular square root, contains a\r\nbug that can cause it to loop forever for non-prime moduli.\r\n\r\n[...] used when parsing certificates that contain elliptic curve public keys in\r\ncompressed form [...]\r\n\r\nIt is possible to trigger the infinite loop by crafting a certificate that has\r\ninvalid explicit curve parameters. [...]\r\n\r\nSince certificate parsing happens prior to verification of the certificate\r\nsignature, any process that parses an externally supplied certificate may thus\r\nbe subject to a denial of service attack. [...]\r\n\r\nThus vulnerable situations include:\r\n\r\n - TLS clients consuming server certificates\r\n - TLS servers consuming client certificates\r\n - Hosting providers taking certificates or private keys from customers\r\n - Certificate authorities parsing certification requests from subscribers\r\n - Anything else which parses ASN.1 elliptic curve parameters\r\n[...]\"\r\n```\r\n\r\nSuccessful exploitation of CVE-2022-0778 can be done in 3 steps:\r\n 1. Generate EC parameters that have some interesting properties as defined in the vulnerability description\r\n 2. Create or modify an already existing encoded ASN.1 cryptographic structure using these parameters\r\n 3. Submit the structure to a service that uses a vulnerable OpenSSL library\r\n\r\nThis presentation is about step ```2.``` .\r\n\r\nThe ASN.1 cryptographic structures we are considering here are often complex\r\nnested structures. \r\n\r\nThe problem lies in the fact that such ASN.1 cryptographic structures are\r\nencoded using a binary format (DER - Distinguished Encoding Rules) that follows\r\na Type-Length-Value (TLV) logic. Each member of the structure is encoded as its\r\ntype identifier, followed by its total length (its own length along with the\r\nlength of its sub-members, and finally, its value, including the one of all its\r\nsub-members).\r\n\r\nAs an example, here is an ASN.1 sequence containing 2 integers:\r\n```\r\n SEQUENCE:\r\n INTEGER:0x12\r\n INTEGER:0x34\r\n```\r\n\r\nIts DER representation can be dissected as this:\r\n```\r\n /--> type: SEQUENCE\r\n / /--> length: 6 bytes\r\n / / /***************/--> value: the two DER encoded INTEGERs\r\n00000000 30 06 02 01 12 02 01 34 |0......4|\r\n / / / / / /--> value: 0x34\r\n / / / / /--> length: 1 byte\r\n / / / /--> type: INTEGER\r\n / / /--> value: 0x12\r\n / /--> length: 1 byte\r\n /--> type: INTEGER\r\n```\r\n\r\nThe edition process of such binary structure is error prone. One need to keep\r\ntrack of the modifications made to inner objects in order to reflect length\r\nupdates to the outer surrounding objects.\r\nFor instance, we could replace the second INTEGER in previous example, with a\r\nlonger INTEGER (2 bytes instead of 1) with for value 0x3456:\r\n\r\n```\r\n SEQUENCE:\r\n INTEGER:0x12\r\n INTEGER:0x3456\r\n```\r\n\r\nThis means that the second integer has now a length of 2 bytes and that the\r\nencoded length of the surrounding sequence has to be incremented.\r\n```\r\n /--> Outer SEQUENCE is now 7 bytes long\r\n / /--> second INTEGER in outer SEQUENCE is now 2 bytes long\r\n00000000 30 07 02 01 12 02 02 34 56 |0......4V|\r\n```\r\n\r\nSimple structures as the one from this example are easy to edit manually with\r\nan hex editor. Larger structures composed of multiple depth of nested\r\nsub-structures are a pain to edit. A single mistake would make the whole\r\nstructure unusable.\r\n\r\nThis presentation is about a tool that predates existing solutions such as\r\n```der-ascii```, and that I dusted off when CVE-2022-0778 was announced last\r\nyear.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CFHTNW", "name": "William Robinet", "avatar": null, "biography": "I manage the technical team that is behind AS197692 at Conostix S.A. in Luxembourg [0].\r\nI've been working with free and opensource software on a daily basis for more than 25 years.\r\nI contributed to the cleanup and enhancement efforts done on ssldump [1] lately.\r\nI particularly enjoy tinkering with open and, not so open, hardware.\r\n\r\nContact: @wr@infosec.exchange\r\n\r\n[0] https://www.conostix.com\r\n[1] https://github.com/adulau/ssldump/", "public_name": "William Robinet", "guid": "8d716bca-6307-56e5-9f1a-a9b54fa4df3e", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/CFHTNW/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/ZQAXNB/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/ZQAXNB/", "attachments": [{"title": "Slides", "url": "/media/pts2023/submissions/ZQAXNB/resources/PTS2023-Talk-18-ASN1_CvFkWtk.pdf", "type": "related"}]}, {"guid": "a3f84bb2-ce71-5177-9f0f-20317a09249a", "code": "8TXSWF", "id": 117, "logo": null, "date": "2023-07-05T11:45:00+02:00", "start": "11:45", "duration": "00:20", "room": "Amphitheater", "slug": "pts2023-117-how-to-survive-to-stix-parsing", "url": "https://cfp.pass-the-salt.org/pts2023/talk/8TXSWF/", "title": "How to survive to STIX parsing?", "subtitle": "", "track": "File Formats Horror Stories", "type": "Short Talk", "language": "en", "abstract": "Ensuring the seamless flow of threat intelligence between sharing communities, CTI pipelines, and detection engineering teams heavily relies on the interoperability of CTI standards. \r\nTo achieve this, the [`misp-stix`](https://github.com/misp/misp-stix) Python library (>=3.8) was developed and specifically designed to handle all conversions between the MISP standard format and STIX formats. \r\nThis library serves as a versatile and comprehensive solution that addresses the challenges faced in CTI standard conversion. \r\nIn this talk, we will discuss the implementation of `misp-stix`, which provides a generic Python library that supports various formats and conversions.", "description": "When it comes to discussions about exchanging threat intelligence, STIX is often mentioned as a standard for representing and sharing structured information. \r\nHowever, the differences between STIX 1.x in XML and STIX 2.x in JSON can pose challenges for analysts and their tools to parse and consume the content easily and automatically.\r\n\r\nTo address this issue, `misp-stix` provides a straightforward conversion between different versions of STIX formats specialized in threat intelligence exchange and the generic MISP standard, which is widely used worldwide to share information across different domains and fields.\r\n\r\nEffective interoperability between CTI standards is crucial to ensure smooth information exchange among sharing communities. By reducing the gap between different conceptions of exchange standards, `misp-stix` aims to facilitate this process.\r\n\r\nDuring the presentation, we will showcase real-life examples of the challenges we face and the solutions we have developed to improve the interoperability and re-usability of knowledge bases, such as misp taxonomies, object templates, and galaxies. These tools are used in MISP and many other CTI tools, and are essential for exchanging structured threat intelligence effectively.", "recording_license": "", "do_not_record": false, "persons": [{"code": "AL3XHB", "name": "Christian Studer", "avatar": "https://cfp.pass-the-salt.org/media/avatars/WhatsApp_Image_2019-05-23_at_09.26.34_GNDOXNF.jpg", "biography": "Christian Studer joined CIRCL in 2017 after he graduated with a Master in Computer Science. During his master thesis at CIRCL he showed his capacity to lead existing CIRCL software such as the Potiron framework, a tool to normalize, index and visualize network captures. He is mainly working on MISP, contributing to the core development and several integrations with other tools and formats, most notable, he leads the STIX implementation of the project. He is also the co-chair of the OASIS CTI STIX Subcommittee.", "public_name": "Christian Studer", "guid": "87eb84e6-0e50-5dff-890e-717ed7df6d49", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/AL3XHB/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/8TXSWF/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/8TXSWF/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/8TXSWF/resources/PTS2023-Talk-19-STIX_kqFQVsB.pdf", "type": "related"}]}, {"guid": "fb0a386f-bff2-5975-8f2f-fe4fadc9d50d", "code": "HMTA3X", "id": 105, "logo": null, "date": "2023-07-05T14:00:00+02:00", "start": "14:00", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-105-decrypt-kerberos-ntlm-encrypted-stub-data-in-wireshark", "url": "https://cfp.pass-the-salt.org/pts2023/talk/HMTA3X/", "title": "Decrypt Kerberos/NTLM \u201cencrypted stub data\u201d in Wireshark", "subtitle": "", "track": "Network Detection & Forensics", "type": "Talk", "language": "en", "abstract": "We often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC! But we are often interrupted in our enthusiasm by the payload dissected as \u201cencrypted stub data\u201d. Until we discover that Wireshark has a helpful feature to decrypt this traffic, which is protected by secrets derived from the prior Kerberos or NTLM authentication. We will briefly describe the theory and show in practice how to configure Wireshark, and fill the required keytab file, so this \u201cencrypted stub data\u201d gets decrypted. This feature will offer you more visibility into those protocols in your future network analysis sessions (security research, network forensics, etc.)", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "CTEGBS", "name": "Cl\u00e9ment Notin", "avatar": "https://cfp.pass-the-salt.org/media/avatars/Cl%C3%A9ment_Notin_carr%C3%A9_ISAOTSu.jpg", "biography": "Cl\u00e9ment Notin has been a cybersecurity engineer for around ten years.\r\nHe started as a pentester and auditor, first in a consulting company, then, for a global French industrial group.\r\nHe is now a researcher in Active Directory security for Tenable in order to contribute to the Tenable.ad product that allows to identify in real time the weaknesses of such environments and detect the attacks underway.", "public_name": "Cl\u00e9ment Notin", "guid": "e17c58c2-33ff-546e-bf92-2be875b0adc0", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/CTEGBS/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/HMTA3X/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/HMTA3X/", "attachments": [{"title": "Exercise files if you want to follow along or train yourself after the session", "url": "/media/pts2023/submissions/HMTA3X/resources/PTS2023-Talk-20-Decrypt_Kerberos_NTLM_with_Wireshar_vV0AYyc.zip", "type": "related"}, {"title": "slides", "url": "/media/pts2023/submissions/HMTA3X/resources/PTS2023-Talk-20-Decrypt_Kerberos_NTLM_with_Wireshar_8CQeTmK.pdf", "type": "related"}]}, {"guid": "92bcbee5-dbf6-5c2b-9712-0cb92fd13a63", "code": "EQL3KQ", "id": 125, "logo": null, "date": "2023-07-05T14:35:00+02:00", "start": "14:35", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-125-using-suricata-to-detect-lateral-movement-in-windows-environment", "url": "https://cfp.pass-the-salt.org/pts2023/talk/EQL3KQ/", "title": "Using Suricata to detect lateral movement in Windows environment", "subtitle": "", "track": "Network Detection & Forensics", "type": "Talk", "language": "en", "abstract": "Suricata can be used to provide visibility and build detection of lateral movement in Windows environment using dedicated signatures or analysis of network security monitoring data. The talk will provide practical methods to increase visibility and provide detection of attacks.", "description": "This talk will describe how [Suricata](https://suricata.io) IDS and NSM features can be used to detect lateral movement in Windows based environments. The focus will be made on SMB based attacks (including Red Team Tooling) as with a specific attention on DCERPC layer of SMB but data extracted from protocols such as Kerberos will also be looked at.\r\n\r\nThe talk will include a presentation of the free [SMB lateral ruleset](https://www.stamus-networks.com/blog/new-open-ruleset-for-detecting-lateral-movement-with-suricata) published by Stamus Networks . It will show some practical hunting techniques that can be used when working with SMB protocol.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KLRNEJ", "name": "\u00c9ric Leblond", "avatar": "https://cfp.pass-the-salt.org/media/avatars/Stamus_Eric_small_W2BJKAY.jpeg", "biography": "\u00c9ric has more than 15 years of experience as co-founder and CTO of cybersecurity software companies and is an active member of the security and open source communities. He has worked on the development of Suricata \u2013 the open source network threat detection engine \u2013 since 2009, is a board member of OISF, and was a member of the Netfilter Core Team for the Linux kernel's firewall layer.", "public_name": "\u00c9ric Leblond", "guid": "a2fc1a01-ec14-5b94-8e43-a8b74250f3d3", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/KLRNEJ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/EQL3KQ/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/EQL3KQ/", "attachments": [{"title": "Slides", "url": "/media/pts2023/submissions/EQL3KQ/resources/PTS2023-Talk-21-Detect-Lateral-Movement-with-Surica_xgz7zm6.pdf", "type": "related"}]}, {"guid": "b94e9c09-151b-51c7-b22c-ec98932e11df", "code": "UV9F9J", "id": 78, "logo": null, "date": "2023-07-05T15:10:00+02:00", "start": "15:10", "duration": "00:35", "room": "Amphitheater", "slug": "pts2023-78-why-cyberoffense-will-never-be-regulated", "url": "https://cfp.pass-the-salt.org/pts2023/talk/UV9F9J/", "title": "Why cyberoffense will never be regulated", "subtitle": "", "track": "Closing Talk", "type": "Talk", "language": "en", "abstract": "Despite strong public statements that they want \"a safer internet for everyone\", many states appear to be double-dealing in the cyber-space and engage in the very activities they discourage. In order to convince decision-makers to genuinely discuss acceptable behavior in the cyberspace, we need to give up on moral arguments and focus on pragmatic reasons to favor defense. But the incentives towards offense may just be too strong.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "BNDFWU", "name": "Ivan Kwiatkowski", "avatar": null, "biography": "An OSCP and OSCE-certified penetration tester and malware analyst working as a Senior Security Researcher in the Global Research and Analysis Team (GReAT) at Kaspersky Lab since 2018. Also delivers Kaspersky\u2019s reverse-engineering trainings in Europe. Ivan maintains an open-source dissection tool for Windows executables and his research was presented during several cybersecurity conferences. As a digital privacy activist, he also operates an exit node of the Tor network.", "public_name": "Ivan Kwiatkowski", "guid": "d3296c77-838a-5f20-9715-d4839a766291", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/BNDFWU/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/UV9F9J/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/UV9F9J/", "attachments": [{"title": "slides", "url": "/media/pts2023/submissions/UV9F9J/resources/PTS2023-Talk-22-Closing-Keynote-Why-cyber-offense-w_sVjBk8C.png", "type": "related"}]}], "Workshop room": [{"guid": "62eac879-c816-5c73-894b-0cb77a02e3af", "code": "A3GZXD", "id": 127, "logo": null, "date": "2023-07-05T09:40:00+02:00", "start": "09:40", "duration": "03:00", "room": "Workshop room", "slug": "pts2023-127-scapy-hands-on", "url": "https://cfp.pass-the-salt.org/pts2023/talk/A3GZXD/", "title": "Scapy Hands-on", "subtitle": "", "track": "Network Detection & Forensics", "type": "Workshop", "language": "en", "abstract": "Scapy (https://www.scapy.net & https://github.com/secdev/scapy) is a powerful Python-based interactive packet manipulation program and library. It can be used to forge or decode packets for a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.", "description": "This workshop will describe its main features step by step, and will let you explore the following topics:\r\n- packets manipulation\r\n- sending & receiving packets\r\n- visualization\r\n- IPv6 and TLS support\r\n- implementing a new protocol\r\n- answering machines\r\n- automaton\r\n- pipes\r\n\r\nRequirements: a laptop running Linux (native or virtualized) and a fresh Scapy install from github", "recording_license": "", "do_not_record": false, "persons": [{"code": "GJ3ECC", "name": "Guillaume Valadon", "avatar": null, "biography": "Guillaume Valadon is the Director of Security Resarch at Quarkslab and holds a PhD in networking. He likes looking at data and crafting packets. In his spare time, he co-maintains Scapy and learns reversing embedded devices. Also, he still remembers what AT+MS=V34 means! Guillaume regularly gives technical presentations, classes and live demonstrations, and write research papers for conferences and magazines.", "public_name": "Guillaume Valadon", "guid": "454d5d0a-caf3-578d-98c3-94d78e4e7822", "url": "https://cfp.pass-the-salt.org/pts2023/speaker/GJ3ECC/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2023/talk/A3GZXD/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2023/talk/A3GZXD/", "attachments": []}]}}]}}}